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Who Am I 


Jake Labelle 
Asseetate Security Consultant at F-Secure 


Been on a couple Mainframe Jobs (not a 
expert) 


Streaming from Basingstoke, UK 


Was going to put a picture but just look 
to the right 


7/05 High Level 


Mainframe operating System 
Datasets 

REXX 

JEL 

RACF 

OMVS 


DATASETS 


USERO1.REXXLIB(HELLO) 
FLAT FILESYSTEM 
APOSTROPHES 

PDS (MEMBERS) 


REXX 


e SCRIPTING LANGUAGE 
e ADDRESS 
е OUTTRAP 


/Жүеххж/ 
DATASET. TEST = “ (5ЕР2.ТЕ5Т " 


address TSO “LISTDSD “DATASET. TEST 


JEL 


e JOB CONTROL LANGUAGE 
е BATCH JOB 
e JOB CARD - USER=X 


//USERIK JOB "EXAMPLE ' ,NOTIFY=&SYSUID,USER=" 14" ,MSGCLASS=H 


// TSOCMD EXEC PGM=IKJEFTO1" 
//SYSTSPRT DD SYSOUT=*" 
//SYSTSIN DD ж" 

EXEC 'GATOR.GATOR' '"oldid"'" 
//ж 


JCL IN A REXX 


/KRERRK/ 
PARSE ARG id ',' oldid 

QUEUE "77" id"K JOB 'RECURSE' ,NOTIFY=RSYSUID, USER=" id" ,MSGCLASS=H, " 
QUEUE "77 MSGLEVEL=(1,1)" 

QUEUE "//Т50СМ) EXEC PGM=IKJEFTO1" 

QUEUE "/7SYSTSPRT DD 5Ү500Т-ж" 

QUEUE "//5Ү5Т<ІМ DD ж" 

QUEUE "EXEC 'GATOR.GATOR' '"oldid"'" 

QUEUE "иж" 

QUEUE "$$" 

о = OUTTRAPC"output." ,,"CONCAT" ) 

"SUBMIT ж END($$)" 

о = OUTTRAP(OFF) 


e UNIX SUBSYSTEM 
e LIKE WSL 
е RACF MANAGES SECURITY 


RACF 


Resource Access Control Facility 


DIFFERENT TYPES OF RESOURCES E.G DATASETS, 
SURROGATS 


RESOURCE OWNERS 
UACC 

PERMIT 

SPECIAL = ROOT 


RACF RESOURCE 
א‎ SUBMIT 

BPX. SRV. 
DFHSTART . ж 
READ ACCESS 


SURROGAT 


SURROGAT CHAINS 


LOTS OF USERS - WHO KNOWS WHAT THEY WERE FOR 

RUNNING FOR DECADES 

USER1 > USER? > USERS 

RLIST SURROGAT ж 

USER1 CANT SEE USERZ > USERS 

ж. SUBMIT IS A BATCH JOB 

COULD MANUALLY SUBMIT REVERSE SHELLS BUT SEE POINT 1 

COULD USE ñ USER WITH READ ACCESS ТО ALL RESOURCES (SPECIAL)? 


BEGIN. REXX 
GATOR. REXX 
SUBM. REXX 
UNI XM. REXX 


PLUGINS. REXX 


BEGIN. REXX 


GETS OUTPUT DATASETS READY 
GETS UNIX FILES READY 
ADDS CURRENT USER TO PATH 
STARTS GATOR. REXX 


GATOR. REXX 


GETS PATH 

IF SPECIAL STOP 
RUNS PLUGINS. REXX 
LISTS SURROGATS 


CHECKS THAT SURROGATS HAVENT BEEN VISITED 
ТЕМ. 


IF ж, SUBMIT -> SUBM. REXX 
IF BPX.SRV,* -> УМГХМ. אאא‎ 


SUBM. КЕХХ 


e SUBMITS A JCL AS THE SURROGAT USER WHICH 
RUNS GATOR. REXX 


UNI XM. REXX 


JCL WHICH RUNS GATOR 

FILE IN OMVS 

GATOR CALL IT WITH 

bpxbatch sh su -s " [TARGET_USER] " 


tmp7un ו‎ xm 


PLUGINS. КЕХА 


e LIST OF КЕХХ SCRIPTS ТО RUN ОМ EACH USER 
e RUN ENUMERATION SCRIPTS 
e EASY TO ADD MORE 


TESTING 


WITH ZPDTCEMUALTED 205) CREATED 1000 
USERS 


RANDOMLY ASSIGNED A COUPLE OPERATORS AND 
SPECIAL 


ADD A COUPLE OF SURROGATS OF EACH TYPE TO 
EACH USER 


RAN GATOR 


GRAPHVIS 


SHELL MACRO 


e FROM THE USER THAT RAN GATOR 


e RECURSIVELY SUBMIT JCL PASSING THE TARGET 
AND HOW FAR IT IS IN THE PATH TO THE 
TARGET 


e AT ІНЕ END SUBMIT A CATSO SHELL (LIKE A 
METERPRE TER) 


SETUP. SH 


e 55270 SCRIPT 
e UPLOADS ALL THE REXX SCRIPTS 


TK4- 


BASED ОМ 1980 5 MAINFRAME OS (MVS 3.8J) 
RUNS ON A RASPBERRY PI 

ALL OPENSOURCEZPUBL IC DOMAIN 
http://wotho.ethz.ch/tk4-7 

Run mvs to start It 

х.52(0 [MVS IP] 5270 - (ONCE ITS READY) 
TOP RIGHT KEYBOARD - CLEAR 

USERNAME HERCO1 PASSWORD CULSTR 


KICKS AND ВКЕХХ 


e KICKS A CICS CLONE CAN BE INSTALLED 


e https://www. youtube. com/watch ?v=u_ZSH90aq 


™ 


е BREXX CAN BE INSTALLED ALLOWING YOU TO 
RUN REXX SCRIPTS 


HERCULES 


Q Public Licence 

MAINFRAME EMULATOR 

TK4- RUNS ON THIS 

THERE IS A OLD ZOS VERSION ONLINE 
BUT PIRACY IS BAD MKAY 


